Options
Hijacked on searches!!.....
Ok...I'm going nuts again, and could use some help. I went to a website, which promptly installed a Trojan virus. I knew this, because my system started crashing hard. I immediatly killed the wireless connection, and ran my AV. It caught 3 virii, and removed them. I also ran Ad-Aware, and Spy-Bot, which both found a few things, and removed them. I then ran HiJack This, but it did not find anything out of the ordinary. Everything seems to be ok until... If I type something into any search engine, and then try follow a link it almost always redirects to somewhere else, and occasionally spawns a new IE window. This is obviously very annoying. I have run, rerun, and rerun all my tools again and again, but nothing is being found. Clearly, something is stil hangin out on my system.
Any other suggestion on tools to super scan and remove.. I've already deleted all temp files, BHO's, cookies, histories, passwords.....
EDIT: Okay, so I just figured out it may be the built-in search of IE.. The search field in top right corner of IE... If I type ,my search there, I get redirected when I click on a result. I think it's trying to send to me Pronto.com, or searchassist.com.. If I just go to Yahoo or Google and do the same search I can click any link and it works fine...does that make any sense?
Any other suggestion on tools to super scan and remove.. I've already deleted all temp files, BHO's, cookies, histories, passwords.....
EDIT: Okay, so I just figured out it may be the built-in search of IE.. The search field in top right corner of IE... If I type ,my search there, I get redirected when I click on a result. I think it's trying to send to me Pronto.com, or searchassist.com.. If I just go to Yahoo or Google and do the same search I can click any link and it works fine...does that make any sense?
i remain, he who remains to be....
Comments
-
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■Ok...I'm going nuts again, and could use some help. I went to a website, which promptly installed a Trojan virus. I knew this, because my system started crashing hard. I immediatly killed the wireless connection, and ran my AV. It caught 3 virii, and removed them. I also ran Ad-Aware, and Spy-Bot, which both found a few things, and removed them. I then ran HiJack This, but it did not find anything out of the ordinary. Everything seems to be ok until... If I type something into any search engine, and then try follow a link it almost always redirects to somewhere else, and occasionally spawns a new IE window. This is obviously very annoying. I have run, rerun, and rerun all my tools again and again, but nothing is being found. Clearly, something is stil hangin out on my system.
Any other suggestion on tools to super scan and remove.. I've already deleted all temp files, BHO's, cookies, histories, passwords.....
Yeah, stay away from those kind of web sites I'm not trying to just be funny, most normal web site you run into shouldn't be infected like that.
You probably want to wipe your PC and start over. It's really hard to fully clean a PC.
Oh, and this kinda cool for reviewing a web site:
http://www.google.com/safebrowsing/diagnostic?site=
You can place a web address behind "=" and it gives you all kinds of info on past infections, etc. If you want some amusement ask it about Facebook and Twitter. -
Optionsarwes Member Posts: 633 ■■■□□□□□□□Check your LMHOSTS file for alterations from spyware. It's a common thing.[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size] -
OptionsRicka182 Member Posts: 3,359I have no intention if wiping anything, unless it becomes the absolute last thing. That's almost a bigger pain than just finding a program that can indentify what's living on my laptop. I've run about 15 different programs, and they're not finding much at all.
I have checked the LMHOSTS file, the only listing is my local loopback....
I did a search on the sites I am beng redirected to, and they are known to be bad.. I can get around it by copying the URL from the search directly into the address bar, but again, pain in the arse...
I'll keep looking..I know I can fix this..at least I hopei remain, he who remains to be.... -
Optionsarwes Member Posts: 633 ■■■□□□□□□□Have you tried MalwareBytes & ComboFix? ComboFix is kind of the last resort, cause I've had it kill system files before (did a XP repair install after that though so all was good).[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size] -
OptionsKaminsky Member Posts: 1,235What AV are you running ? May be time to get a decent one that will clear up all the little things like this as well.
If your searching with google, I notice that the first couple of searches returned are usually always sponsored links that do redirection but if you are still being redirected to these dodgy sites, that suggests your av hasn't got rid of that part of the infection. Also suggests you may have a lot of other nasties on your machine that it hasn't fixed too.
I have Kapersky on mine which my bank was giving away if you did their online banking. Still cheap enough in the shops though. It's an absolute golden rule with AV, you get what you pay for.Kam. -
OptionsNinjaBoy Member Posts: 968I would also say do a system restore to a day or so before you visited the website.
-Ken -
Optionstiersten Member Posts: 4,505I have no intention if wiping anything, unless it becomes the absolute last thing. That's almost a bigger pain than just finding a program that can indentify what's living on my laptop.
To scan your PC properly, you have to be booting off known good external storage like a CD containing a recovery image. If you're scanning it from the compromised installation itself then things may be hidden from you and the scanning package. -
Options4E6564 Member Posts: 32 ■■□□□□□□□□Check your proxy settings, I've seen viruses change the proxy...anti-virus can't figure it out.
If you are using Internet Explorer just reset all of your browser settings to default, or look for the proxy setting. -
Optionspennystrader Member Posts: 155I fix alot of peoples computers in spare time and I never just wipe it. Here is what I do and I have always gotten rid of all of the spyware.
Turn off system restore(after installing the spyware programs below run in safe mode with networking)
Place spybot, malware bytes, free super antispyware(this program lets you set your homepage as well and protects it from being hijacked) all on the machine
download autoruns from sysinternals and look at all the running processes. You can kill alot of spyware using this before running any scans.
Install AV(I like AVG) but whatever so you got an active one running.
Windows update your box fully when spyware is gone.
Surf the web using a program like sandboxie if you are not sure certain sites have spyware. This program creates a virtual sandbox that if you get infections it stays in the sandbox and not your computer. You can also do this with a virtual machine on your desktop if you are interested. I do this and works well.
I have also used a custom built bartpe cd when things were really bad as it boots in a PE environment before Windows is booted and will get rid of everything easily. Some people may have never used these kind of CD's though, but they rock the house:)
http://www.superantispyware.com/
http://www.safer-networking.org/en/index.html
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.malwarebytes.org/
http://free.avg.com/us-en/homepage#axzz0cDWIWip5
http://www.nu2.nu/pebuilder/
Good luck.
The more knowledge one obtains the more there is too accumulate..... -
Optionstiersten Member Posts: 4,505pennystrader wrote: »I fix alot of peoples computers in spare time and I never just wipe it.pennystrader wrote: »Surf the web using a program like sandboxie if you are not sure certain sites have spyware. This program creates a virtual sandbox that if you get infections it stays in the sandbox and not your computer. You can also do this with a virtual machine on your desktop if you are interested. I do this and works well.pennystrader wrote: »I have also used a custom built bartpe cd when things were really bad as it boots in a PE environment before Windows is booted and will get rid of everything easily. Some people may have never used these kind of CD's though, but they rock the house:)
-
OptionsRicka182 Member Posts: 3,359Thanks for all the replies.... I'll probably have to go the wiping route it seems. I ran a bunch of tools, including the AVG full scan, Ad-Aware, Spybot, Malwarebytes, and at least 6 others... Malwarebytes seemed to find the one last infection, it removed it..said I had to reboot to complete. I did. And now it gets to the XP logo screen, and before the progress bar even hits the far right, a blue screen error flashes accrss, and the it reboots right away. I think I know why, but I'll have to plug it in at work tomorrow to double check. I don't have the HDD adapter to diagnose with another macine at home.
I keep all my "want to keep" data on a seperate partition, so as long as I can get that I'm fine. It's just a pain to reload the OS, all the apps, and updates... thanks again..
Oh, just thought of this...I tried using the recovery console, but like bad IT admin guy, I haven't used my admin password in months..and can't remember the damn thing... anyway to get around that?i remain, he who remains to be.... -
OptionsJDMurray Admin Posts: 13,045 AdminIf you use FireFox, I HIGHLY recommend the NoScript add-on to prevent JavaScript and Flash from running in your browser from untrusted Web sites. Between using NoScript, Sandboxie, Blink (eEye), an SPI firewall, and some Web-saavy, Web browsing can be both a moderately safe and useful experience.Sandboxie appears to just intercept certain system calls and library functions. It doesn't provide full virtualisation as evident by the fact there is a list of incompatible software. As such, there is still the opportunity for malware to break out from the sandbox. Use a proper VM if you want to pursue this method.
Sandboxie is not 100% fool-proof, but each update released makes it more compatible with other apps (it didn't play well with Blink's system protection feature until recently).
However, if possible, Web surfing only in a throwaway VM snapshot that is isolated from your local LAN seems to be the safest solution.
On the Security Now! podcast, application sand boxes are discussed in episodes #53 and #55, and Sandboxie specifically in episodes #172 and #174.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray -
OptionsJDMurray Admin Posts: 13,045 AdminOh, just thought of this...I tried using the recovery console, but like bad IT admin guy, I haven't used my admin password in months..and can't remember the damn thing... anyway to get around that?
What is the Windows Vista Administrator’s Password? | TechExams.net Blogs
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■Are you confident enough that you can say without any doubt that you've got 100% of it removed and nothing else was changed?
+1 not every virus/key logger wants to announce its presence. -
OptionsRicka182 Member Posts: 3,359
Hey , I remember reading that article a couple years ago...and I remember commenting on it... too bad I'm using XP still.. That Sandboxie thing looks cool, I'll have to check that out for usre once I get the laptop back and running...i remain, he who remains to be.... -
OptionsRicka182 Member Posts: 3,359Ok...so this is going to be a longshot but.....
I've figured out that somehow, the iastor.sys file has been corrupted on my laptop. In fact, it's missing..
Is there anywhere I could get a copy of that file? I've already copied the important data to another drive, so now I just want to play and try to fix the original.
I have a feeling that it is hardware specific, but I still want to give it a shot...i remain, he who remains to be.... -
Optionstiersten Member Posts: 4,505iastor.sys is part of the Intel Matrix Storage Manager driver. You should be able to download and extract the necessary file from the driver packages on intel.com
-
Optionsdadaji Member Posts: 96 ■■□□□□□□□□check out Bleeping Computer - Computer Help and Discussion before wiping out anything. Those guys walked me through when my desktop was infected and I had the same problem about hijacking web search. It might take some time for them to reply but be patient. Its better than wiping everything out.
-
OptionsRicka182 Member Posts: 3,359iastor.sys is part of the Intel Matrix Storage Manager driver. You should be able to download and extract the necessary file from the driver packages on intel.com
Trying that now..thanks!check out Bleeping Computer - Computer Help and Discussion before wiping out anything. Those guys walked me through when my desktop was infected and I had the same problem about hijacking web search. It might take some time for them to reply but be patient. Its better than wiping everything out.
I got some good advice on scanning it from BC. I'll ask for more help there if the above does not work..i remain, he who remains to be.... -
OptionsRicka182 Member Posts: 3,359Okay, so I was able to get the Interl Storage files copied over, but it still does not work. I get the same thing... I have one other option..I'm going to try use one last utility someone at work is getting for me.. If that fails, I'll just wipe and reload the OS.
My data is safe, so that was only concern..
Many, many thanks to all those replied. I have learned a good lesson in keeping admin passwords, current backups, and non-expired AV and anti-malware on my machines...i remain, he who remains to be.... -
OptionsJBrown Member Posts: 308last suggestion, Stay AWAY FROM AVG. Did i just say STAY AWAY FROM AVG. That is the worst free anti-virus out there.
Get yourself avast home edition and it comes for free if you register for the key, or avira, but STAY AWAY from AVG. -
Optionstiersten Member Posts: 4,505Just trash it and do a full reinstall. You're in an unknown configuration at the moment. Removal and detection of malware isn't foolproof. There have been many cases of false positives in vital system files which have caused major issues when "cleaned" or deleted. Cleaning files as well may not be possible.
In the case of iastor.sys, I expect that the scanning tool used decided that it was malware when it wasn't actually and has broken your Windows install since iastor.sys is the driver for the HD controller. Malwarebytes warns that the GMER rootkit tool gives many false positives and not to actually take any action without advice.